Attackers have been exploiting a zero-day vulnerability in Adobe Reader using maliciously crafted PDF documents since at least December.
The attacks have been discovered by security researcher Haifei Li (the founder of the sandbox-based exploit-detection platform EXPMON), who warned on Tuesday that the attackers are using what he described as a “highly sophisticated, fingerprinting-style PDF exploit” to target an undisclosed Adobe Reader security flaw.
Li also said that these attacks have been targeting Adobe users for at least 4 months, stealing data from compromised systems using privileged util.readFileIntoStream and RSS.addFeed Acrobat APIs, and deploying additional exploits.
“This ‘fingerprinting’ exploit has been confirmed to leverage a zero-day/unpatched vulnerability that works on the latest version of Adobe Reader without requiring any user interaction beyond opening a PDF file,” Li warned.
“Even more concerning, this exploit allows the threat actor to not only collect/steal local information but also potentially launch subsequent RCE/SBX attacks, which could lead to full control of the victim’s system.”
Haifei Li has disclosed a long list of security vulnerabilities in Microsoft, Google, and Adobe software, many of which have been exploited in zero-day attacks.
Russian-language phishing lures
Threat intelligence analyst Gi7w0rm, who also analyzed this Adobe Reader exploit, found that PDF documents pushed in these attacks contain Russian-language lures referencing ongoing events in the Russian oil and gas industry.
Li has notified Adobe about these findings and, until the company releases security updates to address this actively exploited vulnerability, advised Adobe Reader users not to open PDF documents received from untrusted contacts until a patch is released.
Network defenders can also mitigate attacks exploiting this zero-day by monitoring and blocking HTTP/HTTPS traffic containing the “Adobe Synchronizer” string in the User-Agent header.
“This zero-day/unpatched capability for broad information harvesting and the potential for subsequent RCE/SBX exploitation is enough for the security community to remain on high alert. This is why we have chosen to publish these findings immediately so users can stay vigilant,” he added.
BleepingComputer also reached out to Adobe with questions about Li’s findings, but a response was not immediately available.
Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.
This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.
